I remember someone talking about sharing keys between systems so you can ssh around at will without needing the password.... we are trying to do this, but are having a hard time. Anyone have a good doc (or willing to write one) about how to do this? Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/ There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password? Any advise would be helpful... thanks as always.. Mike
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/
what are you copying ? for example, i create my dsa keys: ~/.ssh/id_dsa ~/.ssh/id_dsa.pub then i export my pub key to the remote server: $ scp ~/.ssh/id_dsa.pub remotebox:~/ $ ssh remotebox # <- enter my pw $ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_dsa.pub $ logout $ ssh remotebox # <- no pw needed
There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password?
passphrases are not required, but many people like to use them ssh-agent allows you to cache the passphrase for a certain amount of time, thus finding some ground between the 'always use pw' and the 'never use pw' ground of authentication -mike
i do exactly that, yet it still prompts me for a password when ssh'ing. thoughts? --- Mike Frysinger <vapier@gentoo.org> wrote:
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/
what are you copying ? for example, i create my dsa keys: ~/.ssh/id_dsa ~/.ssh/id_dsa.pub then i export my pub key to the remote server: $ scp ~/.ssh/id_dsa.pub remotebox:~/ $ ssh remotebox # <- enter my pw $ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_dsa.pub $ logout $ ssh remotebox # <- no pw needed
There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password?
passphrases are not required, but many people like to use them
ssh-agent allows you to cache the passphrase for a certain amount of time, thus finding some ground between the 'always use pw' and the 'never use pw' ground of authentication -mike _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Make sure public key auth is enabled on the client and server: /etc/ssh/sshd_config: RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/ssh_config: Host * RSAAuthentication yes PubkeyAuthentication yes (these are defaults, and so they are commented out in my files) SSH version 1 uses RSAAuthentication, SSH version 2 uses PubkeyAuthentication. Make sure the perms on the directories and files are tight enough (sshd checks): chmod 700 ~/.ssh chmod 600 ~/.ssh/* Finally, are both the server/client the same implementation of SSH? SSH.COM uses slightly different formats than OpenSSH for the public keys. ssh-keygen can convert between the formats. On Wed, Nov 30, 2005 at 01:27:54PM -0800, Mike Leo wrote:
i do exactly that, yet it still prompts me for a password when ssh'ing.
thoughts?
--- Mike Frysinger <vapier@gentoo.org> wrote:
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/
what are you copying ? for example, i create my dsa keys: ~/.ssh/id_dsa ~/.ssh/id_dsa.pub then i export my pub key to the remote server: $ scp ~/.ssh/id_dsa.pub remotebox:~/ $ ssh remotebox # <- enter my pw $ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_dsa.pub $ logout $ ssh remotebox # <- no pw needed
There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password?
passphrases are not required, but many people like to use them
ssh-agent allows you to cache the passphrase for a certain amount of time, thus finding some ground between the 'always use pw' and the 'never use pw' ground of authentication -mike _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-- Chuck R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886
Just for the record, i did not have to make any changes from the default sshd_config file to get this to work. --- Chuck Anderson <cra@WPI.EDU> wrote:
Make sure public key auth is enabled on the client and server:
/etc/ssh/sshd_config:
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
/etc/ssh/ssh_config:
Host * RSAAuthentication yes PubkeyAuthentication yes
(these are defaults, and so they are commented out in my files)
SSH version 1 uses RSAAuthentication, SSH version 2 uses PubkeyAuthentication.
Make sure the perms on the directories and files are tight enough (sshd checks):
chmod 700 ~/.ssh chmod 600 ~/.ssh/*
Finally, are both the server/client the same implementation of SSH? SSH.COM uses slightly different formats than OpenSSH for the public keys. ssh-keygen can convert between the formats.
i do exactly that, yet it still prompts me for a password when ssh'ing.
thoughts?
--- Mike Frysinger <vapier@gentoo.org> wrote:
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/
what are you copying ? for example, i create my dsa keys: ~/.ssh/id_dsa ~/.ssh/id_dsa.pub then i export my pub key to the remote server: $ scp ~/.ssh/id_dsa.pub remotebox:~/ $ ssh remotebox # <- enter my pw $ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_dsa.pub $ logout $ ssh remotebox # <- no pw needed
There are conflicting doc's at this
say
you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use
account password?
passphrases are not required, but many people
On Wed, Nov 30, 2005 at 01:27:54PM -0800, Mike Leo wrote: point...some the like
to use them
ssh-agent allows you to cache the passphrase for a certain amount of time, thus finding some ground between the 'always use pw' and the 'never use pw' ground of authentication -mike _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-- Chuck R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886 _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
I got it!! weird, but i had to change the permissions on the auth file to 640, and then it worked. Weird is that with less restrictive permissions (644) it failed, but more secure works. Anyway, thanks for the feedback! --- Mike Frysinger <vapier@gentoo.org> wrote:
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/
what are you copying ? for example, i create my dsa keys: ~/.ssh/id_dsa ~/.ssh/id_dsa.pub then i export my pub key to the remote server: $ scp ~/.ssh/id_dsa.pub remotebox:~/ $ ssh remotebox # <- enter my pw $ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_dsa.pub $ logout $ ssh remotebox # <- no pw needed
There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password?
passphrases are not required, but many people like to use them
ssh-agent allows you to cache the passphrase for a certain amount of time, thus finding some ground between the 'always use pw' and the 'never use pw' ground of authentication -mike _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Oh yea, I forgot that. That one bit me the first 10 times I did this... Strange, though that if this is a RAC requirement it wouldn't be outlined in the RAC docs... -Jared On 11/30/05, Mike Leo <mleo963@yahoo.com> wrote:
I got it!!
weird, but i had to change the permissions on the auth file to 640, and then it worked.
Weird is that with less restrictive permissions (644) it failed, but more secure works.
Anyway, thanks for the feedback!
--- Mike Frysinger <vapier@gentoo.org> wrote:
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/
what are you copying ? for example, i create my dsa keys: ~/.ssh/id_dsa ~/.ssh/id_dsa.pub then i export my pub key to the remote server: $ scp ~/.ssh/id_dsa.pub remotebox:~/ $ ssh remotebox # <- enter my pw $ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_dsa.pub $ logout $ ssh remotebox # <- no pw needed
There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password?
passphrases are not required, but many people like to use them
ssh-agent allows you to cache the passphrase for a certain amount of time, thus finding some ground between the 'always use pw' and the 'never use pw' ground of authentication -mike _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
YAAHAHAHAHAHAA!!! Accurate Oracle documents??!?!? HAHHAHAHAAHA --- Jared Greenwald <greenwaldjared@gmail.com> wrote:
Oh yea, I forgot that. That one bit me the first 10 times I did this... Strange, though that if this is a RAC requirement it wouldn't be outlined in the RAC docs...
-Jared
I got it!!
weird, but i had to change the permissions on the auth file to 640, and then it worked.
Weird is that with less restrictive permissions (644) it failed, but more secure works.
Anyway, thanks for the feedback!
--- Mike Frysinger <vapier@gentoo.org> wrote:
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/
what are you copying ? for example, i create my dsa keys: ~/.ssh/id_dsa ~/.ssh/id_dsa.pub then i export my pub key to the remote server: $ scp ~/.ssh/id_dsa.pub remotebox:~/ $ ssh remotebox # <- enter my pw $ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_dsa.pub $ logout $ ssh remotebox # <- no pw needed
There are conflicting doc's at this
say
you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use
account password?
passphrases are not required, but many people
On 11/30/05, Mike Leo <mleo963@yahoo.com> wrote: point...some the like
to use them
ssh-agent allows you to cache the passphrase for a certain amount of time, thus finding some ground between the 'always use pw' and the 'never use pw' ground of authentication -mike _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
I've used this setup in the past... http://www.astro.caltech.edu/~mbonati/WIRC/manual/DATARED/setting_up_no-pass... On 11/30/05, Mike Leo <mleo963@yahoo.com> wrote:
I remember someone talking about sharing keys between systems so you can ssh around at will without needing the password....
we are trying to do this, but are having a hard time. Anyone have a good doc (or willing to write one) about how to do this?
Basically we are ssh-keygen -t (dsa/rsa) the keys, copy them to the "remote" servers ~/.ssh/
There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password?
Any advise would be helpful...
thanks as always.. Mike _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password?
Passwords get sent tunneled through the encrypted SSH connection. A trojaned ssh server could steal your password. Passphrases and private keys are never sent anywhere outside of your box (unless you want them to). If an account password gets compromised, you may have to change it on many boxes, and it may be shared with other unrelated accounts elsewhere. If a passphrase gets compromised, it doesn't allow anyone to do anything without your private key file--you need both the private key and the passphrase. You can share your passphrase for many different private keys, but still have different passwords on unrelated remote systems. You can cache the passphrase in the memory of your local box (ssh-agent) so you don't need to enter anything to ssh to remote boxes. Using a private key with a blank passphrase means someone could steal your private key file and use it to log in as you. This weakens the requirement for having to steal both the private key and the passphrase. Since the private key sits on disk for a long time, someone down the road could steal it and you may never know. This is even worse if you use a network filesystem for your home directory. The passphrase encrypts your private key.
that was all good info...thanks. We need to ssh via a service so we can't use a username/password scheme, and, well, it should work!! also, oracle requires this ability to setup their Oracle RAC database, to/from each node in the cluster. --- Chuck Anderson <cra@WPI.EDU> wrote:
On Wed, Nov 30, 2005 at 12:37:19PM -0800, Mike Leo wrote:
There are conflicting doc's at this point...some say you need an ssh-agent, some don't mention it. Some use passphrases, some don't. But if i have to enter an ssh passphrase everytime, why not just use the account password?
Passwords get sent tunneled through the encrypted SSH connection. A trojaned ssh server could steal your password. Passphrases and private keys are never sent anywhere outside of your box (unless you want them to).
If an account password gets compromised, you may have to change it on many boxes, and it may be shared with other unrelated accounts elsewhere. If a passphrase gets compromised, it doesn't allow anyone to do anything without your private key file--you need both the private key and the passphrase.
You can share your passphrase for many different private keys, but still have different passwords on unrelated remote systems.
You can cache the passphrase in the memory of your local box (ssh-agent) so you don't need to enter anything to ssh to remote boxes.
Using a private key with a blank passphrase means someone could steal your private key file and use it to log in as you. This weakens the requirement for having to steal both the private key and the passphrase. Since the private key sits on disk for a long time, someone down the road could steal it and you may never know. This is even worse if you use a network filesystem for your home directory. The passphrase encrypts your private key. _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
I usually create service-specific unpriviliged accounts with their own SSH keys with no passphrases for this purpose. If there are many services/users that need to log in between the boxes, and you don't mind the boxes trusting each other completely, you can use HostBasedAuthentication, which is sort of like rhosts, but with SSH Public Key authentication. Then any user can SSH between boxes that are in /etc/ssh/shosts.equiv with no password, and no user-specific key/passphrase required. On Wed, Nov 30, 2005 at 01:38:42PM -0800, Mike Leo wrote:
that was all good info...thanks.
We need to ssh via a service so we can't use a username/password scheme, and, well, it should work!!
also, oracle requires this ability to setup their Oracle RAC database, to/from each node in the cluster.
participants (4)
-
Chuck Anderson -
Jared Greenwald -
Mike Frysinger -
Mike Leo